CVE-2021-39210

Description

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

Related CPE's

Could not find any relations

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2

https://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/

https://github.com/glpi-project/glpi/releases/tag/9.5.6

CvssV3 impact

Version	3.1
VectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AttackVector	NETWORK
AttackComplexity	LOW
PrivilegesRequired	LOW
UserInteraction	NONE
Scope	UNCHANGED
ConfidentialityImpact	HIGH
IntegrityImpact	NONE
AvailabilityImpact	NONE
BaseScore	6.5
BaseSeverity	MEDIUM

CvssV2 impact

Could not find any metrics

Created by Yello

About Severity.io